Archive for April 2016

Google Pays Out $14K in Bug Bounties in Latest Chrome Update

Yes, a fake Chrome update is out there circulating, but Google released a real one this week as well, with nine patches that earned combined bug bounties of $14,000.

The malware-delivering “update” is for Android, but the latest stable channel has been legitimately updated to 50.0.2661.94 for Windows, Mac and Linux. Four of the flaws are considered high-severity.

Though Google didn’t release all the details of the bugs (and won’t, until the majority of users have updated), it did list the topline information: The high-severity flaws were: Out-of-bounds write in Blink; memory corruption in cross-process frames; use-after-free in extensions; and use-after-free in Blink’s V8 bindings. These all earned $3,000 each for external researchers.

Meanwhile, medium-severity issues include address bar spoofing and an information leak in V8—these earned $1,000 each. In total, five researchers split the $14,000.

Google also fixed an additional three security bugs using internal resources (CVE-2016-1666) that included “various fixes from internal audits, fuzzing and other initiatives.”

On the same day that the desktop patches were released, news broke that the research team at technology company Zscaler uncovered what purported to be a mobile Chrome update. What the .APK actually is, however, is a new Android Infostealer malware which is capable of harvesting call logs, SMS data, browser history and banking information and sending them to a remote command and control server. It also presents bogus payment pages which ask for credit card information. If this is filled in, the Infostealer sends the card details to a Russian phone number.

The firm said the malware also has the ability to go unseen by checking for well-known installed anti-virus applications such as Kaspersky, ESET and Avast and terminating them.

So how to tell the malicious thing from the real thing? Common sense. Real updates should only be downloaded from the vendor or provider’s website.

“It’s important to note that the malware does not rely on any exploits or vulnerabilities to function—it merely relies on scare tactics, almost certainly delivered by compromised advertising networks and websites,” said Tod Beardsley, security research manager at Rapid7, via email. “The user is tricked into downloading an update for the stock Chrome Browser not from the Play store, and once downloaded, the APK asks for administrative access. If successful, the malware can perform any action on behalf of the user.

The organization sent out 37,000 of the devices to its members before a discussion on a security forum revealed that malware was present on at least some of the drives.

The drives contained a PDF file of dental procedure codes, but some of them, which were sourced from China, also had malicious code embedded that redirects recipients to a malware-serving website. The ultimate payload is used to gain control of a user’s Windows computer.

The ADA told independent security researcher Brian Krebs that the supply chain is to blame, and that only a fraction of the drives are actually infected.

“Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer,” the ADA said. “That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products.”

And review it they should. Despite our common assumption that a hard copy of anything is preferable to a download (and amid concerns as to the security of the cloud), it should be remembered that distributing malware by physical media was the first vector for computer viruses way back in the 1980s.

“Mailing physical media—no matter how official-looking it may appear—is no substitute for offering a secure download of any material,” said Tod Beardsley, security research manager at Rapid7, via email. “If you get a USB drive in the mail, it should not be trusted at all. There is no way to reliably determine a mailed USB drive’s origin or contents before inserting it into a computer. This strategy continues to be popular today, since direct access to an end user machine bypasses all the network-based intrusion and malware detection systems IT organizations have put in place to protect their assets.”

Bob Ertl, senior director of product management at Accellion, echoed the sentiment: “There is very little excuse for using USB drives as a means of storing and sharing information. With industry-compliant cloud technologies readily available and affordable, organizations should abandon the USB drive once and for all.”

Krebs reported that most ADA members received instructions for a downloadable version of the PDF. The ADA shared a mail that it sent to members:

“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away. To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.”

Ertl told Infosecurity that the whole situation violates best practices.

“Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information (PHI) violates the most fundamental rules of InfoSec,” he said. “The healthcare industry—which includes dentistry—is fraught with data breaches and the reason why is crystal clear: stolen PHI is worth as much as 50 times the value of a stolen credit card on the black market.”

Ransomware: 85% of Victims Would Say No to Paying Up

Ransomware continues to thrive, with a significant increase in detections of the malware from October 2015 to March 2016, according to ESET. But there’s a long way to go when it comes to consumer education on the issue.

The firm’s recent survey of the attitudes and knowledge that individuals have about ransomware asked 3,000 respondents across the US and Canada a series of revealing questions. Encouragingly, about 85% of respondents said that they wouldn’t pay the ransom fee if faced with an infection.

But, the other stats show that they may not be aware of exactly what they were being asked. Almost a third (30%) said that they didn’t know what ransomware was. Younger people, aged 18-24, were less likely to know what it was and what it does (34% were in the dark), vs. older people: Only a quarter (25%) of those 65+ didn’t know what ransomware is.

“Despite the attacks we have seen, and the widespread reporting on ransomware in the news in recent months, many people still don’t know what it is,” said ESET senior security researcher Stephen Cobb.

Another third (31%) said that they never back up their files. Once again, the younger crew fared the worst: 35% of them don’t use backups.

“Criminals use this nasty breed of software to reach out over your internet connection and kidnap the contents of your computer, literally holding them for ransom,” Cobb said. “Ransomware silently encrypts all of your personal files, making them unreadable, and then demands that you send money to the criminal in order to restore them….Family photos and videos. Tax returns and other financial records. Business documents. Think about everything that you keep on your computer. What would happen if it all was stolen from you?”

Users can protect themselves by keeping their software programs up-to-date, installing an internet security suite, backing up data and learning to spot a phish—ransomware’s favorite vector.

“We do believe that the first step in protecting against cyberthreats like ransomware is awareness and education,” said Cobb. “The more people know about the types of threats that exist, the better they will be at taking necessary steps to defend themselves and their companies.”

Wells Fargo to Roll Out Eye-Scans for Mobile App Sign-In

American banking giant Wells Fargo plans to go ahead with its scheme to use eye scans to verify the identity of customers using its mobile app.

It said that it plans to roll out biometric security technology by July. Customers will use their iPhone cameras to take a picture of their eyes, and software in the bank’s mobile app will then translate the image into digital code to match a stored template. The system looks at the pattern of blood vessels in the whites of the eyes—a unique marker, like a fingerprint.

The system will only be in place for commercial lending customers—who typically handle millions of dollars in transactions. The existing authentication mechanism requires a user name, password and corporate ID number, and also a code from a hardware security token.

“User names and passwords are basically 15 years old. They’re at the end of their useful life,” Secil Watson, who oversees online and mobile applications for Wells Fargo commercial banking, told the LA TImes. “Something needs to take their place.”

Wells Fargo will also soon roll out fingerprint identification, it said.

“Compared to entering a PIN or a password, biometrics offer a fantastically convenient user experience which is well-suited to the mobile environment, so it is easy to see why they are in such demand,” said Sirpa Nordlund, executive director, at Mobey Forum. “Naturally, banks and financial institutions are keen to offer this experience, but must also ensure they strike the right balance between convenience and security.”

A recent Mobey Forum survey shows that the vast majority of banks intend to implement biometrics in the relatively near future, just as the number of handset manufacturers planning to integrate biometric capabilities into their devices rises.

One effect of this integration of biometrics into mobile handsets is that it has removed a significant level of cost from banks, the research pointed out. But to move forward, banks must make a range of choices about factors such as system architectures, biometric modalities, proprietary or open solutions, security, and collaboration versus competition. While the technology will continue to develop, collaboration and standardization will be the best way for banks to address this, the Forum concluded.

Symantec Set to Appoint New CEO as Brown Steps Down

Symantec has confirmed that CEO Michael Brown is to step down, as it reported a drop in shares and its estimated revenue was $12 million lower than its forecast of $885 million-$915 million.

Brown, who has been the CEO for more than one-and-a-half years, will continue in his post until a successor has been appointed. The company said Ajei Gopal, who is also going to be part of the office, is rejoining Symantec as chief operating officer, according to Reuters. The security software maker said it formed an “office of president” to focus on the company’s strategic priorities as it continues its search for Brown’s successor.

Brown was appointed in March 2014 after replacing Steve Bennett who served as the President and Chief Executive Officer between 2012 and 2014, and he was preceded by Enrique Salem.

Brown oversaw the division into two separate public companies; one focused on IT security and the other on information management. In August 2015 it completed the $8 billion sale of its Veritas data-storage and recovery division.

Elizabeth Denham Approved as Next ICO

Canadian Elizabeth Denham has been approved by parliament as the new head of the UK’s data protection watchdog the Information Commissioner’s Office (ICO), and will have her work cut out when she takes over this summer.

The current British Columbia information and privacy commissioner will take over from Christopher Graham in the hot seat for a period of five years.

Graham served seven years in the end having extended his initial term, but is prevented from continuing by the terms of the Protection of Freedoms Act 2012.

Denham has a fine track record in her home country, where she was director at the Office of the Information and Privacy Commissioner of Alberta, from 2003-2007, and then assistant privacy commissioner of Canada for three years, before taking up her role in British Columbia.

In the country’s westernmost province, she is apparently responsible for enforcing the Canadian Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Information Protection Act (PIPA), and the Lobbyists Registration Act (LRA).

“I am delighted that Elizabeth Denham is set to take over as the next information commissioner. Elizabeth is an experienced information rights practitioner, essential when the ICO is busier than ever and facing the challenges of the digital age,” said Graham in a statement.

Indeed, Denham will arrive in the UK at a time when data protection has never been further up the boardroom agenda, or foremost in the minds of politicians.

Depending on the result of the European referendum, she could be in charge of corralling public and private sector organizations as they prepare for the coming EU General Data Protection Regulation, set to land on 4 May 2018.

As one of the biggest revisions to European privacy laws in a generation, it’ll be no small task. Trend Micro research released earlier this month claimed a fifth (20%) of UK IT decision makers are still unaware of its existence.

If the UK votes to leave the EU, her role may become even more important, in advising on a vital replacement framework for the EU GDPR. If one is not agreed it could severely impact the UK’s digital economy and lead to a stalemate of the sort seen recently over a successor to the US-EU Safe Harbor agreement.

Denham now only requires rubber-stamp approval from the Queen before taking up her role in the summer.

Cisco Spots New NTP Bugs

Cisco has identified six new vulnerabilities in the Network Time Protocol (NTP) which could allow cyber-criminals to craft DDoS attacks or prevent the correct time being set.

The Talos team explained in a blog post that it was responsibly disclosing the bugs after having coordinated fixes with the relevant bodies. It urged administrators to apply the patches or upgrade NTP daemon (ntpd) installations as soon as possible.

Its ongoing efforts are part of the Linux Foundation Core Infrastructure Initiative (CII), which aims to fortify the hugely popular open source software against exploitation, and have already resulted in the discovery of several NTP bugs.

The NTP daemon is a key time service ensuring that digital clocks in systems are synchronized to a common standard.

Cisco explained why finding bugs in the system is so important:

“Vulnerabilities that allow the time as understood by ntpd to be altered can be used by attackers to set the time to an arbitrary value. This allows attackers to prevent time dependent services from starting because the time of activation is never reached, to provoke the depletion of system resources by repeatedly reaching the time of activation of services, to gain system access by using expired certificates, to deny service by expiring legitimate services and caches.”

DDoS-ers have been exploiting vulnerabilities in the service to craft attacks since 2013, according to Cisco.

Typically, an attacker searches for exploitable NTP servers and then sends them traffic with a source address spoofed to mimic that of the victim. The NTP server(s) respond and flood the victim organization with traffic.

Since the US-CERT urged administrators to patch affected servers back in January 2014 there was thought to have been a decline in attacks, but it remains an issue, as Cisco’s latest bulletin reveals.

Qatar Bank Hackers Got in Via SQLi – Expert

The vendor’s UK-based cybersecurity architect, Simon Edwards, revealed in a new blog post that on analyzing the 1.5GB of compressed data leaked online, it almost appears as if the hackers “dropped their horde as they made their escape.”

“The files are arranged into three high-level folders ‘Backup’; ‘Files’; and ‘Folders’. It is the first of these that shows that the attackers managed to obtain the data with an SQL injection attack, this gave them a large backup file containing the data they were after,” he explained.

“Using an open source SQL injection tool they were able to extract all of the customer data they needed. Interestingly, the log file points to the exploitation having started almost nine months previously.”

The data dumps into CSV files happened over the succeeding months, with many of these files created as late as April, and some data – mainly focused on foreign financial transactions paid to accounts in Jordan – converted into spreadsheets, he added.

Edwards speculated that as researchers work through this data they may find a link between the individuals profiled – including Al Jazeera staff and alleged spies – and the financial transactions.

“In a time where many data breaches cause as much embarrassment to those exposed as any direct financial loss, is this yet another example? With both the Ashley Maddison and Mossack Fonseca data breaches we have seen that the motivation was about exposing the ‘corrupt’ – financially and/or morally,” Edwards argued.

“Is this breach trying to expose something similar, or it is simply perpetrators trying to find something which may never have been there in the first place?”

As for the perpetrators themselves, researchers at Digital Shadows believe they might be connected to those who carried out an attack on the UAE-based Invest Bank.

However, last month, a user named ‘bozkurt’ claimed in an underground forum post that Hacker Buba had told the user to release the entire Invest Bank data.

The post contained a link to a file containing 2.7GB of data.

What’s more, a Twitter account ‘Bozkurtlar,’ with the handle @ulkuocaklar1923 – meaning “Grey Wolves” in Turkish – posted a link to the same post, urging cyber-criminals to cash out money from the compromised accounts, Digital Shadows said.

Interestingly, at the end of the post came the ominous words: “Next arab bank soon.”

Grey Wolves could refer to the Turkish Nationalist group called Ülkü Ocaklari, which may explain the focus on these Middle Eastern banks, if true, Digital Shadows has speculated.

C3 Alliance is a Justice League for Privileged Account Protection

CyberArk has launched the equivalent of a cyber Justice League: The C3 Alliance brings together a super-group of companies for the purpose of boosting privileged account security best practices.

No doubt, it’s an area in critical need of rooting out some evil-doing. Consider: According to data collected by Varonis during 2015, there are 35.3 million files stored in four million folders, meaning the average folder has 8.8 files. However, 1.1 million folders, or an average of 28% of all folders, has “everyone” group permission enabled (open to all network users), while 9.9 million files were accessible by every employee in the company regardless of their roles.

The data disturbingly found that in one company, every employee had access to 82% of the 6.1 million total folders. Another company had more than two million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.

The new alliance means to right this festering wrong. It includes BMC Software, Duo Security, FireEye, ForeScout, Intel Security, LogRhythm, Qualys, Rapid7, SailPoint, SecureAuth, Symantec, Tenable Network Security, Tripwire and Varonis. Together with CyberArk, the members have committed to incorporating CyberArk privileged account data into their own offerings, especially in the areas of proactive protection, detection and response.

The idea is to boost the level of insight and threat response for customers. As an example, ForeScout’s CounterACT requires administrative credentials for all of its customers’ network endpoints, servers, systems and devices. With the CyberArk integration, it can securely store and manage those credentials, ensuring that customers’ most privileged user accounts have around-the-clock protection.

Similarly, the integration of SailPoint IdentityIQ and the CyberArk Privileged Account Security Solution allows for a unified view and centralized control of all identities, all accounts and all privileges, enabling enterprises to better assess risks and streamline operations.

“Privileged account security has become increasingly critical, since compromised privileged account credentials are a common denominator of many modern attacks,” said Garrett Bekker, senior security analyst at 451 Research. “With certified integrations between CyberArk and alliance members’ products, the C3 Alliance should make it easier for customers to extend the power of privileged account security across their organization and enhance their overall security posture.”

“Our recent M-Trends report identified privileged account harvesting and abuse as the single most consistent attack vector witnessed during our engagements last year,” said Ed Barry, vice president, Cyber Security Coalition, at FireEye. “We’re pleased to be part of the CyberArk-led C3 Alliance and through tight integration of our respective solutions we enable our customers to respond much more quickly to these sophisticated attacks.”

Q1 Email Threats Soar 800% in a Year

The volume of malicious emails soared at the beginning of the year, with Locky ransomware and the Dridex banking trojan accounting for the vast majority of document attachment-based attacks in Q1, according to Proofpoint.

The security vendor’s Quarterly Threat Summary for the first three months of 2016 revealed a 66% increase in emails containing malicious URLs and attachments over the previous quarter. When compared to the same period a year ago, the increase was a staggering 800%.

Of the emails containing malicious document attachments, Locky accounted for 24% and Dridex 74%, leading Proofpoint to warn that organizations need “scalable, automated” defenses in place to block threats before they have a chance to infect networks.

Locky, along with other malware families like TeslaCrypt and Andromeda, has been spotted recently using new obfuscation techniques designed to help it evade security filters and improve its infection rate.

Another key trend for Q1 was the increasing prevalence of so-called business email compromise (BEC) campaigns.

Also known to some as “whaling,” these attacks usually involve a cybercriminal posing as a CEO or CFO and tricking a senior finance employee into transferring funds out of the company.

Proofpoint claimed that 75% of such attacks in the period relied on “reply-to” sender spoofing designed to trick the recipient into believing they were authentic emails.

“Technical defenses (such as enhanced email firewall rules) and user training can greatly reduce the risk from these threats,” the report noted.

“Even so, attackers are improving their effectiveness faster than people can be trained to look for new threats. As a result, automated advanced email threat defenses are essential to staying ahead of this high-yield threat.”

Elsewhere, Java and Flash Player vulnerabilities continued to be favored within exploit kits, with Angler EK accounting for 60% of total EK traffic.

However, other exploit kits showed signs of growth, with Neutrino up 86% and RIG up 136%, and KaiXin and Magnitude EK traffic up over 50% from the previous quarter.